Building Cloud Expertise with centron - Our Tutorials
Whether you are a beginner or an experienced professional, our practical tutorials provide you with the knowledge you need to make the most of our cloud services.
MongoDB Encryption Guide: Secure Your Data
Protect your MongoDB data by encrypting it. We show you how to do this with examples.
Securing Data in Transit
To protect the communication between your MongoDB instance and the clients or applications that need to access it from potential hacker attacks, you can encrypt them. Configure them to require connections that use Transport Layer Security (TLS). Like its predecessor, Secure Sockets Layer (SSL), TLS is a cryptographic protocol that encrypts data as it is transmitted over a network.
Note that TLS only encrypts data as it is transmitted over a network – also known as data in transit. Even if you have configured MongoDB to require connections to be made using TLS, the static database data on the server, also known as data at rest, remains unencrypted. It is not possible to encrypt data at rest with the free Community Edition of MongoDB, but this is possible with the paid subscription-based Enterprise Edition of Mongo.
Encryption at Rest and In Transit
Even if both encryption at rest and encryption in transit are enabled, an unauthorised user could potentially still access your sensitive data. For example, imagine that you have deployed a sharded NoSQL document database to store data for an ice cream delivery application you have developed. The database management system allows you to encrypt data at rest, which you enable, and you also configure it to require encrypted TLS connections between shards as well as clients.
Example of a Security Vulnerability
In this example, when a customer places an order, they are asked to enter some sensitive information such as their home address or credit card number. The application then writes this information into the database into a document, such as:
<
"name" : "Andreas Müller",
"address" : {
"street" : "Heganger 29",
"city" : "Hallstadt",
"state" : "Bayern",
"zip" : 96103
},
"phone" : "0123 456789-0",
"creditcard" : "1231231231231231"
}
This is a potential security vulnerability: Anyone with permissions could access the database, see your clients’ sensitive information and misuse it.
Client-Side Field Encryption
To minimise this risk, since version 4.2 the official MongoDB drivers allow client-side field encryption to be performed. This means that an application, if properly configured, can encrypt certain fields within a document before the data is sent to the database. Once the data is written to the database, only applications or clients that can present the correct encryption keys can decrypt and read the data in those fields. Otherwise, the data document would look similar to this example (assuming the street, city, postcode, phone and credit card fields were encrypted on the client side):
"name" : "Andreas Müller",
"address" : {
"street" : BinData(6,"eirefi3eid5feiZae9t+oot0noh9oovoch3=iethoh9t"),
"city" : BinData(6,"xiesoh+aiveez=ngee1yei+u0aijah2eeKu7jeeB=oGh"),
"state" : "Bayern",
"zip" : BinData(6,"CoYeve+ziemaehai=io1Iliehoh6rei2+oo5eic0aeCh")
},
"phone" : BinData(6,"quas+eG4chuolau6ahq=i8ahqui0otaek7phe+Miexoo"),
"creditcard" : BinData(6,"rau0Teez=iju4As9Eeyiu+h4coht=ukae8ahFah4aRo=")
}
MongoDB stores encoded values as binary data, as indicated by the BinData class labels in the example above. The 6 in each value represents the binary subtype in which the data is stored and indicates what type of binary data has been encoded. Values that have been encoded using Mongo’s client-side field encoding always use subtype 6. Guide: Secure Your Data
Create a Free Account
Register now and gain exclusive access to advanced resources, personalized support, and a community of experts.
Recent posts
Start Your Free Trial and Secure Your MongoDB Databases Today
Embark on the path to ultimate data security with our cloud-based MongoDB solutions. Sign up for a free trial and gain access to top-tier encryption for data at rest and in transit. Don't let your valuable data be vulnerable to threats. Secure your databases with our cutting-edge encryption technology now and experience peace of mind with our cloud services.